AWS Bucket Exposes 50.4 GB of Financial Giant’s Data

Another AWS Bucket exposed to the public. This time the AWS Bucket belonged to Birst.

A cyber security team have discovered a massive trove of data exposed due to an unprotected Amazon Web Services (AWS) S3 bucket. The database belonged to Birst, a Cloud Business Intelligence (BI) and Analytics firm.

The exposed database contained 50.4 GB worth of data of one of Birst’s users Capital One, a financial services giant and eighth-largest commercial bank in the United States. The leaked data contained technical information on Birst device specially configured for Capital One’s cyberinfrastructure.

According to the cyber security researchers report, the data also contained passwords, administrative access credentials and private keys for use within Capital One systems by an on-premise Birst cloud environment. The exposed data was enough to guide an attacker on how Brist device used by Capital One could have been compromised and to dig deeper into the company’s IT system.

The data was discovered on January 15th, 2018 by the data security professional Chris Vickery, and located at the sub-domain “capitalone-appliance” and allowing anyone to access.

One of the files identified was labeled “Client.key” carrying encryption key to decrypt data. However, the key was stored with the encrypted device which could have allowed hackers to decrypt the device.

Furthermore, the data security researcher claimed to identify usernames and their hashed password used by the company in the database for the device.

“The good news is that the attacker would first need to compromise Capital One’s network to use the leaked credentials to attempt to compromise the Birst device. This leak does not expose all the information stored in those other systems. Rather, this leak multiplies the effect of any successful attack, whether through phishing, malware, social engineering, or insider threat- to a potentially catastrophic scale”, cyber security researcher concluded.

Days after the discovery, the cyber security team deleted their blog post about Birst’s exposed database. In an email, spokeswoman for Capital One said that “At no time was any Capital One information exposed. This was simply an instance of a vendor’s software that was hosted in their cloud environment. The referenced passwords and credentials are generic and are used for installing this software. As a matter of standard practice, Capital One changes all default settings, including credentials, prior to deploying third-party software. Because of this, there is no impact to the security of Capital One systems and data.”

But this week, the data security team restored and updated its blog post according to which “Capital One has reached out to the team to provide further comments on the intended use of the Birst device in their environment.”